Method for generating public key and secret key based on module-wavy and module-LWR and method of encryption and decryption using the keys

ABSTRACT

The computer-implemented method for generating a public key and a secret key of the present disclosure comprises determining, by a processor, the secret key (s) by sampling from a distribution over {−1, 0, 1} nd ; determining, by a processor, a first error vector (e) by sampling from (D αq   n ) d  and a second error value (e′) by sampling from D αq   n ; choosing, by a processor, a randomly uniform matrix A which satisfies A·s=e (mod q); choosing, by a processor, a random column vector b which satisfies 
                 〈     b   ,   s     〉     =       ⌊     q   2     ⌋     +       e   ′     ⁡     (     mod   ⁢           ⁢   q     )           ;         
and determining, by a processor, the public key (pk) by (A∥b)∈R q   d×(d+1) .

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of International Application No.PCT/KR2018/016014, filed on Dec. 17, 2018, which claims priority toKorean Application No. 10-2017-0183661, filed on Dec. 29, 2017. Bothapplications are incorporated herein by reference in their entirety.

TECHNICAL FILED

The present disclosure relates to a lattice-based public keycryptographic method. More specifically, the present disclosure relatesto a method for generating a public key and a secret key based onModule-Wavy and Module-LWR, an encryption/decryption method using thekeys.

BACKGROUND

Encryption methods are generally divided into a symmetric key encryptionand an asymmetric key encryption. In the symmetric key encryption, thesame key is used for encryption and decryption, thereby providing fastencryption and decryption. However, the security can be severelyattacked when the key is stolen by a third party. In order to solve theproblem, an asymmetric key encryption has been introduced. Theasymmetric key cryptographic method uses a public key which is disclosedand a secret key (private key) which is provided only to a user. A plaintext is encrypted by a public key and the encrypted message is decryptedby a secret key. Among the public key encryption schemes, RSA algorithmhas been widely used. However, it is expected that RSA encryption can bebroken by a quantum computer. Thus, more powerful encryption scheme isneeded.

Recently, lattice-based public key cryptography called “Kyber” has beenintroduced. The Kyber scheme is shown in “Bos, J., Ducas, L., Kiltz, E.,Lepoint, T., Lyubashevsky, V., Schanck, J. M., Schwabe, P., Stehl'e, D.:CRYSTALS—kyber: a CCA-secure module lattice-based KEM. Cryptology ePrintArchive, Report 2017/634 (2017)” and website ofhttp://eprint.iacr.org/2017/634. However, the size of the encryptedmessage is large since the encrypted message consists of two componentsand the speed is low compared to the conventional scheme such as “NTRU.”

SUMMARY

The object of the present disclosure is to provide a lattice-basedpublic key cryptographic method wherein the size of an encryptedmessage, communication load and communication traffic are reducedcompared with the conventional arts.

The computer-implemented method for generating a public key and a secretkey of the present disclosure comprises determining, by a processor, thesecret key (s) which is a vector of polynomials of degree (n−1), thecoefficients of which are −1, 0, or +; determining, by a processor, afirst error vector (e) by sampling from (D_(αq) ^(n))^(d) and a seconderror value (e′) by sampling from D_(αq) ^(n); choosing, by a processor,a randomly uniform matrix A∈R_(q) ^(d×d) which satisfies A·s=e (mod q);choosing, by a processor, a random column vector b∈R_(q) ^(d) whichsatisfies

${\left\langle {b,s} \right\rangle = {\left\lfloor \frac{q}{2} \right\rfloor + {e^{\prime}\left( {{mod}\; q} \right)}}};$and determining, by a processor, the public key (pk) by (A∥b)∈R_(q)^(d×(d+1)).

The secret key (s) can be sampled from

WT_(n)(h_(s))^(d).

The computer-implemented method of encrypting a message using the publickey of the present disclosure comprises receiving, by a processor, thepublic key (pk) and a message (m∈R₂); randomly selecting, by aprocessor, d polynomials of degree (n−1), the coefficients of which are−1, 0, or +1; generating, by a processor, a first value by operating thepolynomials and at least a portion of the public key (pk); generating,by a processor, a second value by encoding the message with at least aportion of the public key (pk); generating, by a processor, a thirdvalue by operating the first value and the second value; and generatinga ciphertext by rounding operation to the third value for removingpre-set lower bits.

In an embodiment of the present disclosure, a column vector (r) of thepolynomials is determined by sampling over

WT_(n)(h_(r))^(d); the first value is determined by A^(T)·r; the secondvalue is determined by m·b; the third value is determined byA^(T)·r+m·b; and then the ciphertext (c) is generated by

$c = {\left\lfloor {\frac{p}{q} \cdot \left( {{A^{T} \cdot r} + {m \cdot b}} \right)} \right\rceil \in {R_{p}^{d}.}}$

The computer-implemented method of decrypting the ciphertext of thepresent disclosure comprises receiving, by a processor, a ciphertext c;and decrypting, by a processor, the ciphertext c to obtain the message(m). The message (m) is obtained by the decryption process of

$m = {\left\lfloor {\frac{2}{p} \cdot \left\langle {c,s} \right\rangle} \right\rfloor.}$

BRIEF DESCRIPTION OF DRAWINGS

The present disclosure will be more fully understood from the followingdetailed description taken in conjunction with the accompanyingdrawings.

FIG. 1 is one embodiment of an example diagrammatic view of a devicearchitecture which carries out the present disclosure.

FIG. 2 is a flow chart of the process which generates a public key and asecret key according to the present disclosure.

It should be understood that the above-referenced drawings are notnecessarily to scale, presenting a somewhat simplified representation ofvarious preferred features illustrative of the basic principles of thedisclosure. The specific design features of the present disclosure willbe determined in part by the particular intended application and useenvironment.

DETAILED DESCRIPTION

Hereinafter, the present disclosure will be described in detail withreference to the accompanying drawings. As those skilled in the artwould realize, the described embodiments may be modified in variousdifferent ways, all without departing from the spirit or scope of thepresent disclosure. Further, throughout the specification, likereference numerals refer to like elements.

In this specification, the order of each step should be understood in anon-limited manner unless a preceding step must be performed logicallyand temporally before a following step. That is, except for theexceptional cases as described above, although a process described as afollowing step is preceded by a process described as a preceding step,it does not affect the nature of the present disclosure, and the scopeof rights should be defined regardless of the order of the steps. Inaddition, in this specification, “A or B” is defined not only asselectively referring to either A or B, but also as including both A andB. In addition, in this specification, the term “comprise” has a meaningof further including other components in addition to the componentslisted.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the disclosure.As used herein, the singular forms “a,” “an,” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprise”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof. As used herein, the term “and/or”includes any and all combinations of one or more of the associatedlisted items. The term “coupled” denotes a physical relationship betweentwo components whereby the components are either directly connected toone another or indirectly connected via one or more intermediarycomponents. Unless specifically stated or obvious from context, as usedherein, the term “about” is understood as within a range of normaltolerance in the art, for example within 2 standard deviations of themean. “About” can be understood as within 10%, 9%, 8%, 7%, 6%, 5%, 4%,3%, 2%, 1%, 0.5%, 0.1%, 0.05%, or 0.01% of the stated value. Unlessotherwise clear from the context, all numerical values provided hereinare modified by the term “about.”

The method according to the present disclosure can be carried out by anelectronic arithmetic device such as a computer, tablet, mobile phone,portable computing device, stationary computing device, etc.Additionally, it is understood that one or more various methods, oraspects thereof, may be executed by at least one processor. Theprocessor may be implemented on a computer, tablet, mobile device,portable computing device, etc. A memory configured to store programinstructions may also be implemented in the device(s), in which case theprocessor is specifically programmed to execute the stored programinstructions to perform one or more processes, which are describedfurther below. Moreover, it is understood that the below information,methods, etc. may be executed by a computer, tablet, mobile device,portable computing device, etc. including the processor, in conjunctionwith one or more additional components, as described in detail below.Furthermore, control logic may be embodied as non-transitory computerreadable media on a computer readable medium containing executableprogram instructions executed by a processor, controller/control unit orthe like. Examples of the computer readable mediums include, but are notlimited to, ROM, RAM, compact disc (CD)-ROMs, magnetic tapes, floppydisks, flash drives, smart cards and optical data storage devices. Thecomputer readable recording medium can also be distributed in networkcoupled computer systems so that the computer readable media is storedand executed in a distributed fashion, e.g., by a telematics server or aController Area Network (CAN).

A variety of devices can be used herein. FIG. 1 illustrates an examplediagrammatic view of an exemplary device architecture according toembodiments of the present disclosure. As shown in FIG. 1 , a device 109may contain multiple components, including, but not limited to, aprocessor (e.g., central processing unit (CPU) 110, a memory 120, awired or wireless communication unit 130, one or more input units 140,and one or more output units 150. It should be noted that thearchitecture depicted in FIG. 1 is simplified and provided merely fordemonstration purposes. The architecture of the device 109 can bemodified in any suitable manner as would be understood by a personhaving ordinary skill in the art, in accordance with the present claims.Moreover, the components of the device 109 themselves may be modified inany suitable manner as would be understood by a person having ordinaryskill in the art, in accordance with the present claims. Therefore, thedevice architecture depicted in FIG. 1 should be treated as exemplaryonly and should not be treated as limiting the scope of the presentdisclosure.

The processor 110 is capable of controlling operation of the device 109.More specifically, the processor 110 may be operable to control andinteract with multiple components installed in the device 109, as shownin FIG. 1 . For instance, the memory 120 can store program instructionsthat are executable by the processor 110 and data. The process describedherein may be stored in the form of program instructions in the memory120 for execution by the processor 110. The communication unit 130 canallow the device 109 to transmit data to and receive data from one ormore external devices via a communication network. The input unit 140can enable the device 109 to receive input of various types, such asaudio/visual input, user input, data input, and the like. To this end,the input unit 140 may be composed of multiple input devices foraccepting input of various types, including, for instance, one or morecameras 142 (i.e., an “image acquisition unit”), touch panel 144,microphone (not shown), sensors 146, keyboards, mice, one or morebuttons or switches (not shown), and so forth. The term “imageacquisition unit,” as used herein, may refer to the camera 142, but isnot limited thereto. The input devices included in the input 140 may bemanipulated by a user. The output unit 150 can display information onthe display screen 152 for a user to view. The display screen 152 canalso be configured to accept one or more inputs, such as a user tappingor pressing the screen 152, through a variety of mechanisms known in theart. The output unit 150 may further include a light source 154. Thedevice 109 is illustrated as a single component, but the device may alsobe composed of multiple, separate components that are connected togetherand interact with each other during use.

The device 109 can thus be programmed in a manner allowing it to carryout the steps and/or processes of the present disclosure.

Generally, bold lowercase letter(s) means a column vector and bolduppercase letters(s) means a matrix in this specification.

Notations

n: a power of 2

d: a positive integer

q: a positive integer; a large modulus

p: a positive integer less than q; a rounding modulus

${\mathbb{Z}}_{q} = {\left( {{- \frac{q}{2}},\frac{q}{2}} \right\rbrack\bigcap{\mathbb{Z}}}$which means set of integers, where

$\left. {{- \frac{q}{2}} < {{the}{integer}} \leq \frac{q}{2}} \right);{\mathbb{Z}}_{t}$is defined by the same way.

${R = \frac{{\mathbb{Z}}\lbrack x\rbrack}{\left( {f(x)} \right)}}{R_{q} = \frac{{\mathbb{Z}}_{q}\lbrack x\rbrack}{\left( {f(x)} \right)}}{R_{t} = \frac{{\mathbb{Z}}_{t}\lbrack x\rbrack}{\left( {f(x)} \right)}}$

(f(x)): ideal of

_(q)[x] which is generated by f(x)

f(x): polynomial of degree n (for example, a cyclotomic polynomial whenn=Φ(N))

R (ring): set of polynomials of degree (n−1), the coefficients of whichare integers

Operation over R: calculation of remainder after dividing the results ofoperation for every polynomial by f(x)

R_(q) (ring): set of polynomials of degree (n−1), the coefficients ofwhich are elements of

_(q)

Operation over R_(q): every polynomial is operated; the results of theoperation is divided by f(x); and then q is added to or is subtractedfrom each coefficient such that all coefficients are included in

_(q)

R_(t) (ring): set of polynomials of degree (n−1), the coefficients ofwhich is elements of

_(t)

Operation over R_(t): every polynomial is calculated; the results of thecalculation is divided by f(x); and then t is added to or is subtractedfrom each coefficient such that all coefficients are included in

_(t)

[r]: the nearest integer to real number r, rounding upwards in case of atie

For two matrices A and B having the same number of rows, (A∥B) denotestheir concatenation, i.e., for A∈

^(m×n) ¹ and B∈

^(m×n) ² , the m×(n₁+n₂) matrix C=(A∥B) is defined as

$c_{i,j} = \left\{ \begin{matrix}a_{i,j} & {1 \leq j \leq n_{1}} \\{b_{i,{({j - n_{1}})}}\ } & {n_{1} < j \leq {n_{1} + n_{2}}}\end{matrix} \right.$

x←D: sampling x according to the distribution D. It denotes the uniformsampling when D is a finite set.

D_(σ): a discrete Gaussian distribution; a probability distribution withsupport

that assigns a probability proportional to

$\exp\left( {- \frac{\pi x^{2}}{\sigma^{2}}} \right)$to each x∈

. The variance of D_(σ) is very close to σ²/2π unless σ is very small.

For an integer 0≤h≤n, the distribution

WT_(n)(h) samples a vector from {−1, 0, 1}^(n), under the condition thatit has h nonzero elements. This sampled vector a=(a₀, a₁, . . . ,a_(n-1)) is identified to a polynomial a(x)=Σ_(i=0) ^(n-1)a_(i)·x^(i) ofdegree (n−1).

For an integer n≥1, D^(n) denotes the product of independent andidentically distributed random variables which are according toDistribution D.

Module-LWR problems are disclosed in Alperin-Sheriff, Jacob, and DanielApon. “Dimension-Preserving Reductions from LWE to LWR.” (IACRCryptology ePrint Archive report 2016/589. (2016).http://eprint.iacr.org/2016/589).

For positive integers n, d, q, p (p<q), let s∈R^(d) be a secretpolynomial vector. A_(n,d,q,p) ^(MLWR)(s) is the distribution of

${\left( {a,\ \left\lfloor {\frac{p}{q}\left\langle {a,s} \right\rangle_{q}} \right\rceil} \right) \in {R_{q}^{d} \times R_{p}}},$where a←R_(q) ^(d). The Module-LWR problem MLWR_(n,q,q,p)(D) is todistinguish between A_(n,d,q,p) ^(MLWR)(s) and the uniform distributionover R_(q) ^(d)×R_(p) where s←D.

For a secret polynomial s∈R^(d), we first choose an error polynomiale←D_(αq) ^(n), and uniform randomly choose a←R_(q) ^(d) satisfying

a, s

_(q)=e in R_(q). Denote the distribution a by A_(n,d,q,α) ^(MWavy)(s).The Module-Wavy problem MWavy_(n,d,q,α)(D) is to distinguish A_(n,d,q,α)^(MWavy)(s) and the uniform distribution over R_(q) ^(d) where s←D.

The method for generating the public key and the secret key according tothe present disclosure will be described hereinafter.

A security parameter is determined and then the positive integers n,h_(s), h_(r), p, q are chosen based on the determined securityparameter, where h_(s) and h_(r) are less than n. Further, fix an errorparameter α with 0<α<1. The security parameter λ is a measure of thesecurity of an encryption scheme. For example, the security parameter λis set to “128.”

In the step S100, a polynomial column vector s is sampled by s←

WT_(n)(h_(s))^(d). The polynomial of the column vectors has coefficientsof “0,” “+1,” or “−1.” The polynomial can be determined as a secret keyas described in the below.

In the step S110, the first error vector (e) and a second error value(e′) are sampled as follows:e←(D _(αq) ^(n))^(d)e′←D _(αq) ^(n)

In the step S120, the matrix A∈R_(q) ^(d×d) satisfying A·s=e(mod q)uniformly at random is chosen.

In the step S130, the random column vector b∈R_(q) ^(d) satisfying

$\left\langle {b,s} \right\rangle = {\left\lfloor \frac{q}{2} \right\rfloor + {e^{\prime}\left( {{mod}q} \right)}}$is chosen.

$\left\lfloor \frac{q}{2} \right\rfloor$means the round down of

$\frac{q}{2}.$

In the step S140, the public key and the secret key of the presentdisclosure can be determined as follows:Public key(pk)=(A∥b)∈R _(q) ^(d×(d+1))Secret key(sk)=s

The encryption and decryption methods of the present disclosure will bedescribed in the below.

A message m∈R₂ is received by a user having a public key. The message mcan be represented by polynomial of degree n, the coefficients of whichare elements of

₂.

A polynomial column vector r, the coefficient of which is 0, −1, or +1is sampled as follows:r←

WT _(n)(h _(r))^(d)

WT_(n)(h_(s))^(d) and

WT_(n)(h_(r))^(d) means to randomly sample d polynomials of degree(n−1), the coefficient of which is −1, 0, or +1, from

WT_(n)(h_(s)) and

WT_(n)(h_(r)), respectively.

A first value is generated by operating the aforementioned polynomialsand at least a portion of the public key; a second value is generated byencoding the message with at least a portion of the public key; and thena third value is generated by operating the first value and the secondvalue.

The first value can be generated by the operation of A^(T)·r. The secondvalue can be generated by the operation of m·b. The third value can begenerated by the operation of A^(T)·r+m·b. The ciphertext is generatedby rounding operation to the third value so as to remove pre-set lowerbits.

The ciphertext c can be generated as follows:

$c = {\left\lfloor {\frac{p}{q} \cdot \left( {{A^{T} \cdot r} + {m \cdot b}} \right)} \right\rceil \in R_{p}^{d}}$

R_(p) ^(d) means a ring, the elements of which are tuples of dpolynomials of degree (n−1). The coefficients of the polynomial are theelements of

_(p).

The size of the ciphertext c of the present disclosure is significantlyreduced since the ciphertext has one component unlike the conventionalKyber scheme and p<q. Thus, the encryption process is faster andcommunication traffic is significantly reduced compared to theconventional lattice-based public key cryptography.

The ciphertext c can be decrypted as follows such that the message isobtained.

$m = \left\lfloor {\frac{2}{p} \cdot \left\langle {c \cdot s} \right\rangle} \right\rfloor$

Although the present disclosure has been described with reference toaccompanying drawings, the scope of the present disclosure is determinedby the claims described below and should not be interpreted as beingrestricted by the embodiments and/or drawings described above. It shouldbe clearly understood that improvements, changes and modifications ofthe present disclosure disclosed in the claims and apparent to thoseskilled in the art also fall within the scope of the present disclosure.Accordingly, this description is to be taken only by way of example andnot to otherwise limit the scope of the embodiments herein.

What is claimed is:
 1. A computer-implemented method of decrypting aciphertext, the method comprising: receiving, by a processor, aciphertext c, over a network; and decrypting, by a processor, theciphertext c to obtain a message (m) which is$\left\lfloor {\frac{2}{p} \cdot \left\langle {c,s} \right\rangle} \right\rfloor,$s being a secret key; wherein a public key and the secret key aregenerated by a method comprising: a step of determining, by a processor,the secret key (s) by sampling from

WT_(n)(h_(s))^(d); a step of determining, by a processor, an errorvector (e) by sampling from (D_(αq) ^(n))^(d) and an error value (e′) bysampling from D_(αq) ^(n); a step of choosing, by a processor, arandomly uniform matrix A∈R_(q) ^(d×d) which satisfies A·s=e (mod q); astep of choosing, by a processor, a random column vector b∈R_(q) ^(d)which satisfies${\left\langle {b,s} \right\rangle = {\left\lfloor \frac{q}{2} \right\rfloor + {e^{\prime}\left( {{mod}q} \right)}}};$and a step of determining, by a processor, (A∥b)∈R_(q) ^(d×(d+1)) as thepublic key (pk); wherein the ciphertext c is generated by a methodcomprising a step of receiving, by a processor, the public key (pk) anda message (m∈R₂); and a step of generating, by a processor, theciphertext by${c = {\left\lfloor {\frac{p}{q} \cdot \left( {{A^{T} \cdot r} + {m \cdot b}} \right)} \right\rceil \in R_{p}^{d}}};$wherein a column vector (r) is determined by sampling from

WT_(n)(h_(s))^(d); and wherein: α is an error parameter which satisfies0<α<1; q is a positive integer; p is a positive integer less than q; dis a positive integer; n is a power of 2; h_(s) is a positive integerless than n; h_(r) is a positive integer less than n; D_(αq) is adiscrete Gaussian distribution; D_(αq) ^(n) is a product distribution ofindependent and identically distributed n random variables according tothe distribution D_(αq); (D_(αq) ^(n))^(d) is a product distribution ofindependent and identically distributed d random variables according tothe distribution D_(αq) ^(n); and

WT_(n)(h_(s))^(d) and

WT_(n)(h_(r))^(d) are distributions of randomly sampled d polynomials ofdegree (n−1), the coefficients of which are −1, 0, or +1, from

WT_(n)(h_(s)) and

WT_(n)(h_(r)), respectively, wherein

WT_(n)(h_(s)) and

WT_(n)(h_(r)) are distributions of uniformly sampled vectors from {−1,0, 1}^(n), under the condition that said vectors have h_(s) and h_(r)non-zero elements, respectively.